httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luiz Guilherme Nunes Fernandes <narutospi...@gmail.com>
Subject [users@httpd] Re: Error with Kerberos in Apache
Date Wed, 10 May 2017 19:56:12 GMT
Help-me,

My new erros, i dont have any idea now. What is problem.

Erros:
[Wed May 10 16:44:38.642059 2017] [auth_kerb:error] [pid 13249] [client
10.251.14.140:47141] failed to verify krb5 credentials: Server not found in
Kerberos database, referer: http://10.1.1.76/

#######################################################
/etc/krb5.conf

[libdefaults]
 default_realm = REDE.COM.BR
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 REDE.COM.BR = {
 kdc = REDE.COM.BR
 admin_server = REDE.COM.BR
 }

[domain_realm]
 .rede.com.br=REDE.COM.BR
 rede.com.br=REDE.COM.BR

######################################################
klist -k /etc/httpd/conf.d/krb5.keytab
Keytab name: FILE:/etc/httpd/conf.d/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
  14 host/delorean2.rede.com.br@REDE.COM.BR
  14 host/delorean2.rede.com.br@REDE.COM.BR
  14 host/delorean2.rede.com.br@REDE.COM.BR
  14 host/delorean2.rede.com.br@REDE.COM.BR
  14 host/delorean2.rrede.com.br@REDE.COM.BR
  14 host/DELOREAN2@REDE.COM.BR
  14 host/DELOREAN2@REDE.COM.BR
  14 host/DELOREAN2@REDE.COM.BR
  14 host/DELOREAN2@REDE.COM.BR
  14 host/DELOREAN2@REDE.COM.BR
  14 DELOREAN2$@REDE.COM.BR
  14 DELOREAN2$@REDE.COM.BR
  14 DELOREAN2$@REDE.COM.BR
  14 DELOREAN2$@REDE.COM.BR
  14 DELOREAN2$@REDE.COM.BR

########################################################
cat /etc/httpd/conf.d/proxy.conf
<VirtualHost *:80>
    ProxyPreserveHost Off
    ProxyPass / http://localhost:631/
    ProxyPassReverse / http://localhost:631/

<Location />
 AuthName "Login"
 AuthType Kerberos
 KrbMethodNegotiate on
 KrbMethodK5Passwd on
 KrbAuthRealms REDE.COM.BR
 Krb5Keytab /etc/httpd/conf.d/krb5.keytab
 KrbLocalUserMapping on
 Require valid-user

 AuthLDAPUrl ldap://
rede.com.br/ou=usuarios,dc=rede,dc=com,dc=br?sAMAccountName
 AuthLDAPBindDN cn=UsrLDAP,cn=Users,dc=rede,dc=com,dc=br
 AuthLDAPBindPassword XXXXXX
 LDAPReferrals Off

</Location>



2017-05-09 9:53 GMT-03:00 Luiz Guilherme Nunes Fernandes <
narutospinal@gmail.com>:

> Well, i try my first test and work,  if i authentic with Ldap protocols
> without kerberos work, but i try add kerberos, show erros messages in log.
> Any idea?
>
> No errors in apachectl configtest
>
>
> ###############################################
> cat /etc/krb5.conf
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = REDE.COM.BR
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  dns_lookup_realm = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  rdns = false
>  default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
>  REDE.COM.BR = {
>  kdc = REDE.COM.BR
>  admin_server = REDE.COM.BR
>  }
>
> [domain_realm]
>  .rede.com.br=REDE.COM.BR
>  rede.com.br=REDE.COM.BR
>
> ###############################################
>
> kinit root
> Password for root@REDE.COM.BR:
>
> klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: root@REDE.COM.BR
>
> Valid starting       Expires              Service principal
> 05/09/2017 09:45:36  05/09/2017 19:45:36  krbtgt/REDE.COM.BR@REDE.COM.BR
> renew until 05/16/2017 09:45:34
>
> ###############################################
>  cat /etc/httpd/conf.d/proxy.conf
> <VirtualHost *:80>
>     ProxyPreserveHost Off
>     ProxyPass / http://localhost:631/
>     ProxyPassReverse / http://localhost:631/
>
>
> LogLevel debug
>
> <Location />
>
>  AuthType Kerberos
>  KrbMethodNegotiate On
>  AuthName "REDE.COM.BR Domain Login"
>  KrbMethodK5Passwd On
>  KrbAuthRealms REDE.COM.BR
>  Krb5KeyTab /etc/httpd/conf.d/httpd.keytab
>  KrbLocalUserMapping on
>  require valid-user
>
> #   AuthName "Informe usuario da rede"
> #   AuthType Basic
> #   AuthBasicProvider ldap
>    AuthLDAPUrl ldap://rede.com.br/ou=usuarios,dc=rede,dc=com,dc=br?
> sAMAccountName
>    AuthLDAPBindDN cn=users,dc=rede,dc=com,dc=br
>    AuthLDAPBindPassword XXXXXX
>    Require valid-user
>    LDAPReferrals Off
>    </Location>
> #</Directory>
>
> </VirtualHost>
>
>
> ###############################################
>
> [root@delorean1 conf.d]# tail -f /var/log/httpd/error_log
> [Mon May 08 17:48:42.320886 2017] [auth_kerb:error] [pid 19879] [client
> 10.251.14.140:55636] failed to verify krb5 credentials: Server not found
> in Kerberos database, referer: http://10.1.1.75/
> [Mon May 08 17:48:42.320898 2017] [auth_kerb:debug] [pid 19879]
> src/mod_auth_kerb.c(1127): [client 10.251.14.140:55636]
> kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL),
> referer: http://10.1.1.75/
> [Mon May 08 17:48:55.301656 2017] [authz_core:debug] [pid 19881]
> mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626:
> authorization result of Require valid-user : denied (no authenticated user
> yet), referer: http://10.1.1.75/
> [Mon May 08 17:48:55.301702 2017] [authz_core:debug] [pid 19881]
> mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626:
> authorization result of Require valid-user : denied (no authenticated user
> yet), referer: http://10.1.1.75/
> [Mon May 08 17:48:55.301710 2017] [authz_core:debug] [pid 19881]
> mod_authz_core.c(809): [client 10.251.14.140:55638] AH01626:
> authorization result of <RequireAny>: denied (no authenticated user yet),
> referer: http://10.1.1.75/
> [Mon May 08 17:48:55.301736 2017] [auth_kerb:debug] [pid 19881]
> src/mod_auth_kerb.c(1954): [client 10.251.14.140:55638]
> kerb_authenticate_user entered with user (NULL) and auth_type Kerberos,
> referer: http://10.1.1.75/
> [Mon May 08 17:48:55.302037 2017] [auth_kerb:debug] [pid 19881]
> src/mod_auth_kerb.c(1048): [client 10.251.14.140:55638] Using
> HTTP/10.1.1.75@ as server principal for password verification, referer:
> http://10.1.1.75/
> [Mon May 08 17:48:55.302062 2017] [auth_kerb:debug] [pid 19881]
> src/mod_auth_kerb.c(752): [client 10.251.14.140:55638] Trying to get TGT
> for user REDE.COM.BRroot@REDE.COM.BR, referer: http://10.1.1.75/
> [Mon May 08 17:48:55.306313 2017] [auth_kerb:error] [pid 19881] [client
> 10.251.14.140:55638] krb5_get_init_creds_password() failed: Client not
> found in Kerberos database, referer: http://10.1.1.75/
> [Mon May 08 17:48:55.306348 2017] [auth_kerb:debug] [pid 19881]
> src/mod_auth_kerb.c(1127): [client 10.251.14.140:55638]
> kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL),
> referer: http://10.1.1.75/
> --
> <<<<<<<<<<<<<<<<<<<-----------------------------------------
> -------------------------->>>>>>>>>>>>>>>>>>>
>
> < Disse-lhe Jesus: Eu sou o caminho, e a verdade e a vida; ninguém vem ao
> Pai, senão por mim >
>                                                              (João 14:6)
>
>                                                                     Att.
>                                         ♪ ♫  Luiz Guilherme Nunes
> Fernandes  ♫ ♪
>
> <<<<<<<<<<<<<<<<<<<-----------------------------------------
> -------------------------->>>>>>>>>>>>>>>>>>>
>



-- 
<<<<<<<<<<<<<<<<<<<------------------------------------------------------------------->>>>>>>>>>>>>>>>>>>

< Disse-lhe Jesus: Eu sou o caminho, e a verdade e a vida; ninguém vem ao
Pai, senão por mim >
                                                             (João 14:6)

                                                                    Att.
                                        ♪ ♫  Luiz Guilherme Nunes
Fernandes  ♫ ♪

<<<<<<<<<<<<<<<<<<<------------------------------------------------------------------->>>>>>>>>>>>>>>>>>>

Mime
View raw message